Weekly Recap — 2026-05-04 -> 2026-05-11
AI Rush Opens New Attack Paths as Trusted Cloud Services Fuel Phishing The rush to adopt artificial intelligence is giving attackers two new advantages: convincing lures to trick users and poorly secured infrastructure to exploit. This week, multiple campaigns used fake websites for the Claude AI assistant to infect victims with password-stealing malware, while researchers revealed that commercial robots and AI connection protocols contain critical flaws that let hackers hijack them. Because organizations are deploying AI tools faster than they can secure them, attackers are finding easy entry points into corporate networks. In parallel, phishing campaigns are increasingly hijacking trusted cloud services like Amazon's email platform and Vercel's AI-powered website builder to send messages that bypass security filters entirely. A massive campaign targeting US employees used fake HR reviews to steal login sessions even when multi-factor authentication was enabled, and the breach of the Canvas learning platform exposed data on 275 million people that can now be used for highly convincing follow-up scams. These trends together suggest that traditional defenses are losing effectiveness because attackers are hiding inside the systems we already trust. Organizations should immediately patch the actively exploited Palo Alto Networks and Ivanti vulnerabilities flagged by CISA this week, require phishing-resistant authentication methods, and treat every AI tool and robot connected to their network as a high-risk device that needs strict monitoring.
Detection / Hunteropenrouter
By the Numbers
- Total articles: 40
- By severity: Critical: 10, High: 23, Informational: 1, Low: 1, Medium: 5
- By category: APT: 3, data breach: 2, general security news: 6, malware: 7, phishing/social engineering: 5, threat actor: 1, vulnerability: 16
Top Threats
AI Weaponized as Both Lure and Attack Surface
Attackers are capitalizing on AI hype by creating fake Claude AI download sites that infect users with malware like RedLine Stealer and the Beagle backdoor, because employees eager to use new tools will bypass normal caution. At the same time, the AI infrastructure itself is dangerously insecure: commercial robots from Unitree contain hardcoded backdoors allowing remote hijacking, and the Model Context Protocol (MCP) servers connecting AI agents to business systems lack basic input validation, enabling SQL injection and data theft. This dual threat means organizations face risk from both social engineering around AI and fundamental flaws in the AI systems they deploy.
- https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html
- https://www.sophos.com/en-us/blog/donuts-and-beagles-fake-claude-site-spreads-backdoor
- https://www.recordedfuture.com/research/hacking-embodied-ai
- https://www.akamai.com/blog/security/2026/may/other-side-mcp-threat-conversation
- https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader
- https://securelist.com/vulnerabilities-and-exploits-in-q1-2026/119733/
Trusted Cloud Infrastructure Hijacked for Phishing
Phishing operators are moving away from easily blocked suspicious domains and instead abusing legitimate cloud platforms to send their attacks, because emails and websites hosted on Amazon SES and Vercel automatically pass security checks. A large-scale AiTM campaign used fake HR 'code of conduct' notices to steal authentication tokens that bypass standard multi-factor authentication, while another operation used Vercel's AI website builder to generate pixel-perfect fake login pages in seconds. As a result, defenders can no longer rely on email authentication standards or visual inspection to catch phishing attempts.
- https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/
- https://securelist.com/amazon-ses-phishing-and-bec-attacks/119623/
- https://cofense.com/blog/steal-smarter-not-harder-malicious-use-of-vercel-for-credential-phishing
- https://any.run/cybersecurity-blog/us-fake-invitation-phishing/
- https://securelist.com/suspicious-websites-undefined-trust-level/119675/
Software Supply Chain Under Sustained Siege
Nation-state groups and cybercriminals are systematically poisoning open-source repositories because compromising a single package can cascade to thousands of downstream developers. North Korea's ScarCruft trojanized a gaming platform to target ethnic Koreans, while OceanLotus uploaded malicious Python packages to PyPI that disguise their communications through a legitimate chat application. With PyPI itself admitting to access control flaws that could have let attackers seize control of popular projects, the entire trust model of 'install and build' is under strain, forcing tools like pnpm to add default waiting periods for new packages.
- https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/
- https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/
- https://socket.dev/blog/pypi-fixes-high-severity-issues-found-in-security-audit
- https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries
- https://socket.dev/blog/pnpm-11-adds-new-supply-chain-protection-defaults
Actively Exploited Critical Vulnerabilities in Perimeter Devices
Three critical vulnerabilities were added to CISA's Known Exploited Vulnerabilities catalog this week—CVE-2026-0300 in Palo Alto Networks PAN-OS, CVE-2026-6973 in Ivanti EPMM, and CVE-2026-42208 in BerriAI LiteLLM—because attackers are already using them to breach networks. In parallel, new Linux kernel flaws dubbed Copy Fail and DirtyFrag allow any local user to gain root control without modifying files on disk, with Copy Fail already confirmed as exploited in the wild. These vulnerabilities matter because they sit at the network edge or in core infrastructure, meaning a single unpatched system can compromise an entire organization.
- https://www.cisa.gov/news-events/alerts/2026/05/06/cisa-adds-one-known-exploited-vulnerability-catalog
- https://www.cisa.gov/news-events/alerts/2026/05/07/cisa-adds-one-known-exploited-vulnerability-catalog
- https://www.cisa.gov/news-events/alerts/2026/05/08/cisa-adds-one-known-exploited-vulnerability-catalog
- https://cert.europa.eu/publications/security-advisories/2026-006/
- https://www.elastic.co/security-labs/copy-fail-dirtyfrag-linux-page-bugs-in-the-wild
- https://securelist.com/cve-2025-68670/119742/
- https://socket.dev/blog/free-certified-patches-for-critical-vm2-sandbox-escape
- https://www.akamai.com/blog/security/research/2026/may/advisory-cve-2026-34354-guardicore-local-privilege-escalation
Trending CVEs
- CVE-2026-0300 (3 mentions) — Critical unauthenticated buffer overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal, actively exploited in the wild with no patch available at time of disclosure.
- CVE-2026-6973 (2 mentions) — Improper input validation in Ivanti Endpoint Manager Mobile, actively exploited and added to CISA KEV catalog requiring immediate remediation.
- CVE-2026-42208 (1 mentions) — SQL injection in BerriAI LiteLLM, actively exploited and added to CISA KEV catalog, highlighting that AI infrastructure is already being targeted at the vulnerability level.
- CVE-2026-31431 (1 mentions) — Copy Fail Linux kernel privilege escalation exploiting page cache corruption, confirmed exploited in the wild and added to CISA KEV catalog.
- CVE-2025-68670 (1 mentions) — Pre-authentication remote code execution in xrdp for Linux, allowing full system compromise with no credentials required.
Sector Trends
- Education — The Canvas LMS breach exposed data from 8,800 institutions and 275 million individuals, creating a massive pool of verified personal information that attackers will use for targeted phishing and impersonation campaigns against students and staff for months to come.
- Technology / Software Development — Developers are under sustained attack through poisoned package repositories (PyPI, NuGet) and fake AI tool installers, because compromising a single developer machine can yield credentials that cascade into broader organizational breaches.
- Government — The UAT-8302 espionage campaign targeting South American and European government networks demonstrates that state-sponsored groups are sharing sophisticated toolkits across clusters to maintain persistent access to sensitive diplomatic and policy information.
- Banking and Finance — The TCLBANKER trojan's ability to self-propagate via WhatsApp and Outlook, combined with the continued abuse of legitimate cloud email services for business email compromise, indicates that financial fraud campaigns are becoming more autonomous and harder to contain.
Notable Incidents
- Instructure Canvas Breach Exposes 275 Million Users — One of the largest education-sector breaches on record, with suspected voice phishing as the initial access vector into interconnected SaaS platforms, demonstrating how a single compromised identity can expose an entire ecosystem.
- Massive AiTM Phishing Campaign Bypasses MFA at Scale — Targeted over 35,000 US employees with HR-themed lures and successfully bypassed non-phishing-resistant MFA using adversary-in-the-the-middle token theft, proving that standard MFA is no longer sufficient against well-crafted campaigns.
- Critical Vulnerabilities Found in Commercial Robots — Unitree robot dogs and humanoids contain hardcoded backdoors and undocumented APIs allowing remote hijacking, wireless infection of neighboring robots, and covert surveillance—turning physical automation assets into insider threats.
- Palo Alto PAN-OS Zero-Day Actively Exploited — A critical unauthenticated buffer overflow in a widely deployed firewall platform is being exploited in the wild with no patch available, forcing organizations to disable affected features immediately to prevent network compromise.